[xmlsec] Custom CRL

Aleksey Sanin aleksey at aleksey.com
Tue May 21 21:18:53 PDT 2013 

Well, you have public key in the signature. No surprises it doesn't
even hit certificates validation (why bother???).

Funny, I just wrote another reply about the same topic: enabledKeyData
in xmlSecKeyInfoCtx (see examples in xmlsec command line tool code).



Aleksey

On 5/21/13 9:15 PM, Francisco Obispo wrote:
> This is the one that I'm currently using..
> 
> I also have the same file signed with a revoked cert for testing purposes.
> 
> 
> 
> 
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!-- 
> XML Security Library example: Simple signature template file for sign1 example. 
> -->
> <demo id="test">
>   <Data>
> 	Hello, World!
>   </Data>
>   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>       <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>       <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>       <Reference URI="">
>         <Transforms>
>           <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>         </Transforms>
>         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>         <DigestValue>LdhuGRwbntos7k+Bi5zGpZg8alY=</DigestValue>
>       </Reference>
>     </SignedInfo>
>     <SignatureValue>1NGlGwove0a1cyGySo8AUkQqXCGCyyKJIA6+JjVGQtgFZJ//DbLf+da5w32KBlRg
> YAh+vMOH3455nZudj4exL14pVtFXlvLPTSsRRYSKf9E3KH2B5CI21vCgto8e85t+
> 47bQyoodvqPKyq21o94qwAvSKPkyibUYdqmSvU/s8Cg=</SignatureValue>
>     <KeyInfo>
>       <KeyValue>
> <RSAKeyValue>
> <Modulus>
> 5ql5wGtT/5uxGcjeUxbCoA9VVFYer4BF7IbPcQg4BNbu9e3iXiNe+nKCXXEg+vAp
> e6zjIc6ZwgVMVXBms+gCMdsKkOl4MmmPyWgew0JLbURq19qEFFfvWu4VpigcGYMM
> /9BCp8wSNxck4bRqNTpt0CB+fPxdkEqjHi2/YSWynuk=
> </Modulus>
> <Exponent>
> AQAB
> </Exponent>
> </RSAKeyValue>
> </KeyValue>
>       <X509Data>
>         <X509Certificate>
>           MIIC1TCCAb2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADAAMB4XDTEzMDUyMTAyNDUw
>           MFoXDTE0MDUyMTAyNDUwMFowgYoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEV
>           MBMGA1UEBxMMUmVkd29vZCBDaXR5MQwwCgYDVQQKEwNJU0MxETAPBgNVBAsTCFNl
>           cnZpY2VzMRUwEwYDVQQDEwxpc2Mtc2VydmljZXMxHzAdBgkqhkiG9w0BCQEWEHNl
>           cnZpY2VzQGlzYy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOapecBr
>           U/+bsRnI3lMWwqAPVVRWHq+AReyGz3EIOATW7vXt4l4jXvpygl1xIPrwKXus4yHO
>           mcIFTFVwZrPoAjHbCpDpeDJpj8loHsNCS21EatfahBRX71ruFaYoHBmDDP/QQqfM
>           EjcXJOG0ajU6bdAgfnz8XZBKox4tv2Elsp7pAgMBAAGjUzBRMA8GA1UdEwEB/wQF
>           MAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhC
>           AQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQDUJPIsQSmN
>           3bEBvSfQUSoo0wswVzSBjdAzFw03br06V22GZqYn9lyItvZYLBu6k1C/aOUALod5
>           eaXmtxkJ4lKzgsV6o1OryQmlXYQImVR1mYHoGjtg+m/0vJn44xaw2+krfjjz4/3m
>           g9XgS7ylnijhCWIipYOHbr2hcS1Bk5UgLXL/Dca/9q/qy43aVaj7B5TQt+m6jI5K
>           BckFk4tGz3nQHnvTqURMG/yMBvGZjEL5eTZCd8CmtlHsdTfN6dxPJC0FJ/Ua7v+x
>           wuB8dfRggEImIjZpT1qoH6J6FLvFamc8Fv0888H7vcjTKAYka1QTe2svFa246svN
>           8cwhfzbaztws
>         </X509Certificate>
>       </X509Data>
>     </KeyInfo>
>   </Signature>
> </demo>
> 
> 
> 
> 
> 
> 
> On May 21, 2013, at 9:12 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> 
>> Hm... Something is really wrong. How is you signed document looks like?
>> Does it have the public key in it by a chance?
>>
>> Aleksey
>>
>> On 5/21/13 9:10 PM, Francisco Obispo wrote:
>>> Mhm,
>>>
>>> It doesn't break there either:
>>>
>>> $ gdb verify
>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug  5 03:00:42 UTC 2012)
>>> Copyright 2004 Free Software Foundation, Inc.
>>> GDB is free software, covered by the GNU General Public License, and you are
>>> welcome to change it and/or distribute copies of it under certain conditions.
>>> Type "show copying" to see the conditions.
>>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ........... done
>>>
>>> (gdb) break xmlSecOpenSSLX509StoreVerify
>>> Breakpoint 1 at 0x3126e978d442cb
>>> (gdb) run Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>> Starting program: /Users/fobispo/code/registry/tools/isc-xml-signature/verify Perl/ISC-XML-Signature/t/files/sample-signed.xml Perl/ISC-XML-Signature/t/files/xca/TestCA.crt Perl/ISC-XML-Signature/t/files/xca/TestCA.crl id
>>> Reading symbols for shared libraries ++++++++++.............................. done
>>> VALIDATING!!!!!
>>> = KEY INFO READ CONTEXT
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled key data: all
>>> == RetrievalMethod level (cur/max): 0/1
>>> == TRANSFORMS CTX (status=0)
>>> == flags: 0x00000000
>>> == flags2: 0x00000000
>>> == enabled transforms: all
>>> === uri: NULL
>>> === uri xpointer expr: NULL
>>> == EncryptedKey level (cur/max): 0/1
>>> === KeyReq:
>>> ==== keyId: rsa
>>> ==== keyType: 0x00000001
>>> ==== keyUsage: 0x00000002
>>> ==== keyBitsSize: 0
>>> === list size: 0
>>> File: Perl/ISC-XML-Signature/t/files/sample-signed.xml OK
>>>
>>> Program exited normally.
>>> (gdb) 
>>>
>>>
>>>
>>>
>>> On May 21, 2013, at 9:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>
>>>> It should do the check. I am surprised it doesn't.
>>>>
>>>> Can you break into xmlSecOpenSSLX509StoreVerify() function. There is
>>>> a piece of code that checks against in-document crl and then store crl.
>>>> Curious to find out why it doesn't do the expected thing.
>>>>
>>>>
>>>> Aleksey
>>>>
>>>> On 5/21/13 8:32 PM, Francisco Obispo wrote:
>>>>> Tried it,
>>>>>
>>>>> It never gets called, so I'm wondering if I'm missing something. :-(
>>>>>
>>>>> So, besides adding the CRL to the key store, is there anything else I need to call to verify the cert? 
>>>>>
>>>>> Would xmlSecDSigCtxVerify() do the check? or do I need to call another function separately?
>>>>>
>>>>> thanks
>>>>>
>>>>>
>>>>> On May 21, 2013, at 7:14 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> Well, the code clearly uses the crls (it's the same function that
>>>>>> process crls in the signature). If you have debug version, put
>>>>>> a break point in the xmlSecOpenSSLX509VerifyCertAgainstCrls() function
>>>>>> to see if it is called and what's happening inside it.
>>>>>
>>>>> Francisco Obispo 
>>>>> Director of Applications and Services - ISC
>>>>> email: fobispo at isc.org
>>>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>>>> PGP KeyID = B38DB1BE
>>>>>
>>>
>>> Francisco Obispo 
>>> Director of Applications and Services - ISC
>>> email: fobispo at isc.org
>>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>>> PGP KeyID = B38DB1BE
>>>
> 
> Francisco Obispo 
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
>

More information about the xmlsec mailing list